Skip to main content

Malicious email with telegram alert

Malicious Email with Telegram Integration

Overview

This workflow automates the detection and blocking of malicious URLs found in employee emails through an intelligent human-in-the-loop approval process. It scans emails for suspicious URLs, requests approval via Telegram, and automatically creates blocking rules in Cloudflare Zero Trust when threats are confirmed.

How It Works

  1. Retrieve Email: Fetches specific emails from Outlook using message ID to begin malicious URL detection process.
  2. Scan URLs: Extracts and analyzes URLs from email content using malicious URL scanner to identify potential threats.
  3. Format Notification: Creates structured Telegram message displaying detected malicious URLs with threat type classifications and user-friendly approval options.
  4. Send Telegram Alert: Delivers interactive notification to security personnel via Telegram with approval/denial buttons for blocking decisions.
  5. Wait for Approval: Processes human response from Telegram to determine whether to proceed with blocking malicious domains.
  6. Create Domain List: Upon approval, compiles malicious domains into timestamped list for Cloudflare Zero Trust gateway configuration.
  7. Generate Gateway List: Creates domain list in Cloudflare Zero Trust with timestamped naming for tracking and audit purposes.
  8. Create Blocking Rule: Automatically generates HTTP traffic filtering rule to block access to approved malicious domains.
  9. Deploy Protection: Implements blocking rule in Cloudflare Zero Trust gateway to immediately protect organization from confirmed threats.

Who is this for?

Security Operations Teams requiring human oversight of automated blocking decisions to balance automation with business context. Small to Medium Organizations needing cost-effective email threat protection with limited security staff availability. Companies using Cloudflare Zero Trust for network security and preferring mobile-friendly security workflows via Telegram integration.

What problem does this workflow solve?

Automated URL blocking systems often create false positives that disrupt business operations, while manual review processes are too slow to protect against fast-moving email threats. This workflow solves the dilemma by providing instant mobile notifications via Telegram for security approval, enabling rapid human-verified blocking decisions that protect the organization without business disruption from incorrectly blocked legitimate domains.